DIFFERENCE BETWEEN VULNERABILITY SCANNING AND PENETRATION TESTING
By Dan Beavin, Director Offensive Security Operations
A Vigilant Know More Series
Vulnerability Scan, Penetration Test, Red Team…. What’s the difference and which one is right for me?
This is a question I get asked often by clients and it depends on a large number of factors which I'll cover in this blog post. Many security professionals have slight differences of opinion on when a company should look into each of these topics but I'm going to outline what I personally have seen work best.
Let’s start by defining what each topic really is.
In the simplest terms, a vulnerability scan or assessment is an automated tool that will look for known vulnerabilities. Most scanners use a list of known vulnerabilities such as the National Vulnerability Database. Vulnerability scans typically do not exploit any flaws or vulnerabilities discovered.
Vulnerability scans can be conducted as an authenticated or unauthenticated scan: An unauthenticated scan will scan the ports or services of a system or application and try to determine the operating system, application, or the software running on the system. The vulnerability scanner will take the information gathered during the scan and try to match that up against an existing database of known vulnerabilities that "could" exist on the system. An authenticated scan is more precise and detailed. Since the scan is able to login directly to the system or application, it can gather specific data about the operating system and applications installed then provide more specific vulnerability data.
Unauthenticated and authenticated scanning both can create some false positive data though which is important to call out. The reason for this is that scanners rely on static indicators for a vulnerability and cannot take into account a workaround or other security solution put in place. The scanner will simply look for a specific patch and if it is missing an alert will be created. As a result, I always recommend going through your results and removing any false positive items before reporting any metrics or starting a remediation operation.
This is a great lead into defining penetration testing. Penetration testing will seem similar to vulnerability scanning and will generate questions as to why one is needed versus another. Penetration testing allows ethical hackers to simulate a real world cyber-attack against a system, application, or entire infrastructure. Vulnerabilities and weaknesses are discovered during a penetration test and then exploited using the same tools and techniques that real attackers would use. The biggest difference between a vulnerability scan and a penetration test is the active exploitation by a human operator. A human is able to determine possible workarounds put in place to mitigate a vulnerability and circumvent those. Penetration testing will help an organization identify how a hacker might target you and the methods used during the attack. A penetration test will also help an organization see how their defensive tooling would stand up to an attack and the possible risk of a breach to an organization.
Penetration testing can look different from test to test as this is a manual operation and relies on the knowledge and skills of the ethical hackers conducting the test. Many times individuals will use a vulnerability scanner on a pentest, exploit one or two items, and call it a penetration test. Be very wary of offerings like this as you are not getting the perceived value that is being presented to you. A true pentest will use some automated scanning and some manual operations and tasks. The manual operations should greatly outweigh the automated ones. Penetration tests are meant to find as many vulnerabilities and exploits as possible within the scope and time frame of the test.
Red teaming is our final category to cover. This is the item I get asked about most frequently as it’s become a "buzzword" in the last few years. Red teaming is similar to penetration testing in the fact that ethical hackers are looking to compromise systems. The biggest difference is that in red teaming you are not trying to compromise every vulnerability you find. Red team engagements are objective based and generally have a narrow focus. This could be as simple as exfiltrating PII/PHI, intellectual property, or obtaining domain administrator access.
How this is accomplished is quite different from a penetration test as well. During a penetration test stealth isn't necessary. The test is generally known by many parties inside the organization. During a red team engagement the operators move in a methodical way slowly and stealthily through an environment. Red team engagements are longer term engagements that focus on a specific objective and target and attempt to achieve this in any way they can. Social engineering is involved with a red team engagement and can vary from email phishing, phone vishing, or face to face interactions with an organization's employees. Red teaming is generally best for an organization with a mature security program, but this is not always a requirement.
Now that we have defined in a little more detail vulnerability scans, penetration testing, and red teaming; how do you know what to choose for your company? I always suggest conducting an authenticated vulnerability scan first as this will help you address the "low hanging" fruit first. This should be a regular scan and not a one-time scan as a one-time scan generally creates a large list of "must fix" items that gives a false sense of security. New vulnerabilities are disclosed every day and a continuous vulnerability scanning solution is the best option.
After you have a great vulnerability management program in place, penetration testing becomes a more effective tool. You can do penetration testing without vulnerability scanning, however, the penetration testers will spend more time identifying vulnerabilities that a scanner could easily find for you. This will mean less time the testers can focus on attack simulation. Penetration tests can help identify misconfigurations, validate vulnerabilities, and provide more insight into how you would fare in a real cyber-attack.
Finally red teaming! This is hands down my favorite type of engagement to conduct. You will have a team of ethical hackers simulate a real world attack against your organization with a specific objective or goal to accomplish. If you are a manufacturing company, intellectual property such as design documents, research and development data, or even your customer lists could be prime targets for theft from a criminal attacker. You want to determine if someone were to get in, could that attacker access this data and steal it without being detected. Sure you may detect the attacker eventually, but how much data was taken if any before the first alert? Did you even get an alert? Do you even know you were breached? A red team engagement will help find those blind spots in your organization and provide specific guidance on how to mitigate those moving forward. Red teaming helps to take the focus away from specific vulnerabilities or exploits and focuses more on the people, processes, and defenses in an organization.
I believe all organizations would benefit from each of these services and offerings. Vigilant can help you assess your current security posture and maturity level and help you determine the best place to start. The Offensive Security Operations team is excited to work with you! Contact us today to further secure your company!